by David Harley Senior Research Fellow
It’s not only the malware that ESET calls Win32/Flamer.A which is complex (and quite dauntingly large).
The news and speculation around this threat is also extensive and complex. While it is understandable that what appears to be a sophisticated threat found in several regions, some of them particularly politically sensitive, has excited so much interest. conflicting conjecture and confusion over the ‘ownership’ of the detection is muddying the waters somewhat. According to the Iran National CERT, it had detection (but not removal) for the malware in early May, but Kaspersky claims it’s been in the wild since March 2010. This seems to be the same malware theat that the Laboratory of Cryptography and System Security (CrySyS) in Budapest calls sKyWIper (which they believe may have been active for 5-8 years or even longer). However, it looks as if those assumptions on timing are incorrect: module compilation dates have been manipulated, presumably in order to hamper researchers in some way.
The news and speculation around this threat is also extensive and complex. While it is understandable that what appears to be a sophisticated threat found in several regions, some of them particularly politically sensitive, has excited so much interest. conflicting conjecture and confusion over the ‘ownership’ of the detection is muddying the waters somewhat. According to the Iran National CERT, it had detection (but not removal) for the malware in early May, but Kaspersky claims it’s been in the wild since March 2010. This seems to be the same malware theat that the Laboratory of Cryptography and System Security (CrySyS) in Budapest calls sKyWIper (which they believe may have been active for 5-8 years or even longer). However, it looks as if those assumptions on timing are incorrect: module compilation dates have been manipulated, presumably in order to hamper researchers in some way.
Nonetheless, the Budapest lab has some interesting initial analysis which shouldn’t be overlooked. While I’m reluctant to add to the confusion, it seems to me of interest that the malware has been reported not only in the Middle East/Western Asia (including Israel, curiously enough), but also in Eastern Europe (notably Hungary and Austria) and even Hong Kong. Whether it’s actually targeting a specific country is not clear: after all, Stuxnet is nowadays assumed to have been targeting Iran, but was originally detected over a very wide area. While there’s speculation that Flamer is linked in some way to Stuxnet and Duqu, that seems to me to be – well, speculative, as most of the code seems very different.
Perhaps the most interesting feature is that the Iran National CERT (Maher) has volunteered to share samples with security vendors even though many software vendors (notably those headquartered in the US) are unable to trade legally with Iran. (Bizarrely, these malicious programs are running in Iran on an operating system that Microsoft can’t export to Iran.) This restriction may have hampered initial detection of the malware by security vendors outside the region, but samples have subsequently trickled into the mainstream via secondary sources.
The whole episode seems strangely reminiscent of the excitement back in 1990 about Whale. This was a very large, very complex, heavily-armoured virus that attracted a great deal of detailed analysis: as Alan Solomon said later, far more analysis than was really necessary to write detection for the thing. I guess researchers had more spare time in those days. There is a difference, though: Whale was significant because of the array of interesting techniques it contained, but as malware it was barely functional. Flamer, however, looks to be too effective to be ignored, even though detection for it is already widespread. In that respect, it is like Stuxnet: no-one will be happy until we have a better idea of the who, the whys and the wherefores behind it.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow